Blogs
How to Cross-Sell Compliance to Your Sales Managers
- Compliance Management
- 17 September 16
2 min read
Introduction
The story of Wells Fargo’s cross-selling compliance failure, reminds me of the huge fine that HSBC received in 2012 for mis-selling— over $3 billion. Wells Fargo’s $185 million fine for poor cross-selling practices pales in comparison – but still “ouch!” Even worse and more costly could be the reputation damage — Wells Fargo styles itself as the big bank that has that small town feel.
According to reports, Wells Fargo had identified violations of its cross-selling policies for years — for instance, issuing credit cards without fully informing customers — and significant remedial actions, sometimes even with mass firings of offenders. The tone at the top seems to have been pretty clear and supportive of compliance. Yet on the other hand, failing to meet sales quotas could also result in a firing — as it should.
At most companies, we find that employees are rewarded for meeting goals that are tied to business goals — with performance indicators focused on production, growth, and sales. There is no reward for not breaking the rules. “Hey, John — thanks for not doing anything illegal this quarter — here’s an extra $2,000” — nope, that doesn’t happen.
Give Managers the GRC Tools They Need
The challenge for managers in the middle is how to communicate both compliance and sales goals, and how to monitor just as strongly for compliance as for performance. Managers have the customer relationship management systems, sales force automation applications, and financial management tools to track progress toward the achievement of financial objectives. However, they also need the tools to monitor and track compliance of the employees on their teams. What costs less — the fines and reputation damage of repeated compliance failures, or investments in the GRC tools that managers need?
Monitor the Mood in the Middle
Executives also need to monitor the mood in the middle. Frankly, the best way to do this is to talk directly to employees on the teams to see what messages they are getting from their managers. Often these are formal “skip-levels,” but informal visits and conversations can also give you a sense of the mood in the middle.
Monitor for Fraud Continuously
You get what you inspect, not what you expect. So, frequent, even continuous monitoring of sales for fraudulent activity should be the norm for a company whose growth is heavily dependent on consumer cross-selling.
Jump to Topic
Related Resources
Blogs
The Third Wave Of Technology Transformation For Banking And Financial Services
- Compliance Management
- 05 August 16
1 min read
Introduction
Banking and Financial Services industry is undergoing a strategic shift with the advent of disruptive technologies such as Fintech, Blockchain, and IoT which are challenging the established technology based banking models. This may be the third wave of technology transformation to reshape the modern financial institutions around the world, the first two being ‘computerization’, which moved the banking operations from paper based to software based, and the second being ‘internet/mobile banking’ which radically changed the way banks delivered their services to the customers.
However, with the arrival of each technological shift have come new challenges, and this trend is not likely to change much in near future. Cybersecurity has become one of the biggest concerns for the organizations across the globe. Regulators are also continuously altering the existing regulatory landscape in the larger interest of the consumers and the economy as a whole.
In the course of this blog series, I will take you through some of these disruptions in the banking and financial services industry, and how adopting a mature Governance, Risk and Compliance (GRC) based approach may be the way forward. My first blog will talk about the changing regulatory landscape and five steps that you may want to adopt to stay ahead of the curve.
Jump to Topic
Related Resources
Blogs
Welcome!
- Audit Management
- 04 August 16
1 min read
Introduction
Welcome to the initial entry of this blog! In subsequent posts, I’ll discuss competitive trends I’m observing in the GRC market along with other issues that will affect GRC vendors.
Earlier in my career, I had the opportunity to work in the CRM industry and saw directly how that market grew, matured and eventually consolidated. In many ways, today’s GRC market is similar (buyers still learning what GRC means to them, no dominant market player, little M & A activity to date) to how the CRM market appeared in the early 2000’s.
Thanks for joining and I’m looking forward to speaking with you.
Warren
Jump to Topic
Related Resources
Blogs
5 Steps To Stay Ahead Of Regulatory Change
- Compliance Management
- 02 August 16
5 min read
Introduction
Banking and Financial Services Institutions across the globe are struggling to keep pace with regulatory change, and, quite often, grappling with the sheer volume and the complexity of these updates can be a laborious, up-hill battle.
According to a survey by MetricStream which polled the responses of 123 compliance professionals across North America & Europe, 19% of the respondents reported taking up to a year to implement regulatory changes1. Considering the magnitude of change that financial institutions have to deal with, this may no longer be affordable.
It may have been possible to keep a track of regulatory updates using standard manual approaches during the pre-financial meltdown era, but as regulators continue to usher in more reforms in this age of rapidly evolving and disruptive financial technologies — including Fintech, IoT, and Crypto currencies — standard models are proving to be ineffective.
Yet, the survey shows that 48% of the organizations surveyed are still using office productivity software (Excel spreadsheets) to track regulatory changes.
The need of the hour is to develop a robust and technologically reinforced regulatory change management framework to help manage the next wave of regulatory reforms. A “wait-and-watch” approach is no longer sustainable, and organizations would need to proactively address this business challenge before it gets too late. Adopting the below model, which elucidates 5 basic principles to develop a robust regulatory change management framework, would equip organizations with the right set of tools to manage regulatory changes and stay ahead of the curve.
1. Keeping Track of Regulatory Updates
Organizations have to keep track of regulatory content from global as well as regional regulators from a multitude of sources including regulatory publications, industry associations, national and local media, and specialized content providers such as LexisNexis, Thomson Reuters, etc. With so many sources to keep track of and high volumes of relevant content to analyze, organizations may find this exercise time consuming and resource incentive.
The solution? A cloud based content platform which serves as a one-stop shop for regulatory content from various sources. Using this platform, compliance professionals can subscribe to curated content based on predefined rules and keywords, which can be streamed directly as RSS feeds, alerts, or email notifications. Pre-defined rules can be setup based on a variety of regulatory attributes including industry, jurisdiction, topic, state, due-date, etc., thereby ensuring relevant information reaches subscribers in real time
2.Standardizing the Regulatory Taxonomy
A global organization has to deal with inconsistencies in regulations across geographies and multiple business operations. Having a standard regulatory taxonomy in line with the organizational hierarchy and consistent in terms of language, terminology, and structure will improve communication among stakeholders, making it easier to setup a robust compliance framework. Additionally, it helps organizations to categorize, store, and deliver regulatory updates without having to frequently modify the rules and linkages that have been setup in the system.
One way to standardize the taxonomy is to setup a centralized GRC repository to store all regulatory updates from across the organization, index updates according to the organizational hierarchy, and map them to multiple GRC attributes such as risks, controls, policies, etc.
3. Assigning Regulatory Responsibilities
In order to ensure accountability, it is important to clarify the roles and responsibilities of the individuals who manage the compliance function. While a cloud-based content platform will ensure the right information reaches the right set of users, each user should be a seasoned compliance professional with the ability to scrutinize these regulatory updates to determine whether they are applicable to the organization. Relevant SMEs need to be identified within the organization who understand the laws/regulations and have sufficient knowledge to analyze these updates in detail.
How can organizations achieve this? Ensure that there is first level of screening or assessment by a centralized regulatory coordinator to determine the applicability of the regulatory updates to the organization. He or she would then pass the mantle on to individual assessors within relevant departments for detailed impact analyses. Finally, collaboration with external stakeholders also becomes important when regulators, customers, business partners, and other parties need to be informed on any changes in the organization’s overall processes, policies, controls, or other factors.
It is important to clearly document these roles and responsibilities, establishing accountability in the complete information lifecycle — from the time a new alert is delivered to the time it is successfully implemented. Additionally, it is recommended that the senior management be actively involved at each stage, and the board has clear visibility into the whole process.
4. Assessing the Business Impact
Every regulatory update needs to be assessed in terms of the business impact it has on the organization. After the initial applicability assessment, each business unit can carry out a detailed impact analysis on an update to identify which risks, controls, policies, procedures, trainings, and reports are affected and need to be revised.
It is also important to group similar regulatory updates as it will help not only in eliminating duplicates but also in identifying similar trends and patterns in the risks, controls, policies, and other areas that are impacted. This analysis then needs to be rolled up as per the defined organizational hierarchy to provide a holistic view of the impact across the enterprise.
At any point of time, an organization should be able to gain a comprehensive view of the number of regulatory updates effecting them both holistically and by business unit or functional area.
5. Implementing Regulatory Change
The next step would be to formulate action plans, listing out tasks that need to be assigned to relevant users. Standard workflows need to be defined for the review and approval processes with escalation capabilities when the tasks become overdue. Additionally, to ensure nothing goes amiss, it would help if business users are notified of the tasks that have been assigned to them through standard email notifications and reminders.
At each stage of the implementation process, reports and dashboards should provide visibility into real time status of the change, accountability, and the overall impact on the organization.Furthermore, it is important to log any issues or findings with defined remediation plans for quick and efficient issue closure and resolution.
To make these steps easier and achievable, organizations can opt for a robust and comprehensive regulatory change management solution which leverages a common foundation to facilitate multi-dimensional mappings with other GRC elements. Such a solution can help centralize disparate, siloed, and manual operations across business units and geographies, and align them with the organization’s overall business goals and objectives. This will not only help them track and analyze the all too frequent regulatory changes, but also ensure that these changes are effectively and efficiently implemented.
References:
Jump to Topic
Related Resources
Blogs
3 Key Workplace Policies that Startups Can’t Afford to Ignore
- Compliance Management
- 23 November 15
5 min read
Introduction
Most startups are focused on getting their business off the ground. As a result, they usually delay policy development until a later date. But here’s why it’s important to draft and implement certain policies right at the start of your business: policies pre-empt and prevent misunderstandings between employees and employers about obligations and behavior at the workplace. More importantly, they help protect a business against lawsuits and employee disputes which could otherwise wipe out a startup before it has had a chance to take off.
Here are a few key policies that startups would do well to focus on:
1. Paid Time-Off (PTO)
Many startups provide a consolidated bank of vacation days and sick days that employees can draw from. Other startups offer an unlimited time-off system. Whatever your approach, remember that a time-off system is only as effective as the policy surrounding it.
In one of the companies I worked for, a PTO policy wasn’t implemented until the business was ten years old. By then, significant expenses resulting from accrued vacation had built up. So, even though the PTO policy was eventually established, a number of people were immediately out of compliance since they had accrued more time off than the policy maximum. Addressing these exceptions took considerable time and company resources.
To avoid such mishaps, proactively draft a time-off policy with clear requirements. For instance, in a PTO policy, sick employees should understand that it’s best for them to stay away from work and avoid infecting other people, rather than come into work just because they want to save on their sick days.
Create a chain of approval. So, if employees want time off for a vacation, your policy might require them to get the approval of their team lead as well as their local manager. If there are times of the year when all hands are needed on deck, create a policy that establishes “freeze vacation” periods.
Educate managers to counsel employees who misuse the time-off policy.
2. Sexual Harassment and Equal Opportunity Policies
In 2013, the Equal Employment Opportunity Commission (EEOC) received over 7,200 charges of sexual harassment. Meanwhile, in a HuffPost/YouGov survey, 32 percent of respondents reported having been harassed by a boss/superior or co-worker.
Instances of workplace sexual harassment or even discrimination due to race, religion, disability, and other factors can not only result in expensive lawsuits, but also severely damage the trust that other employees and customers have in your business. That’s why it’s important to establish policies around sexual harassment and discrimination, up front.
Make sure that these policies clearly define what constitutes sexual harassment and discrimination. Provide clear, real-life examples of the same. For instance, if an employee repeatedly asks a coworker out on a date despite being refused multiple times, it could be construed as sexual harassment. Emphasize zero tolerance for these behaviors.
Encourage employees to raise complaints if they are harassed. Clearly describe in your policy how they should go about it.
More importantly, walk the talk by translating policies into procedures. At one of the companies I worked for, an employee raised a case of sexual harassment against her manager as well as her department head and others. Despite there being a sexual harassment policy in place, appropriate action was not initiated in response to her claim in a timely manner.
So, make sure to train all managers on their roles and responsibilities in preventing as well as responding to sexual harassment or discrimination. Ensure prompt and impartial investigations and action.
3. Expenses
In a startup, cash is always scarce. To make sure that it isn’t unnecessarily wasted, implement expense policies that cover things like Internet and cell phone usage, travel, hotels, meals, and entertainment.
Netflix is known for its unusual expense policy, which simply asks employees to “act in Netflix’s best interests.” Depending on the culture/ philosophy of your startup, you might implement a similar policy, or perhaps go further, and outline what exact expenses will be covered by your policy, and what won’t.
A 2012 Robert Half Management Resources survey found that CFOs receive many unusual items on expense reports, including cosmetic surgery, lottery tickets, pet food, and even teepees! To avoid such out-of-policy claims, make sure that there’s no ambiguity in your expense policies. At the same time, keep the policies flexible depending on each employee’s roles and responsibilities. For instance, a sales representative could be allowed to spend company resources on taking prospective buyers out to lunch.
Set clear deadlines for submitting expense claims. Reimburse these claims in a timely manner. And ensure that your policy isn’t a maze of complicated processes. Employees shouldn’t have to read a 25-page document of how to submit travel expenses. Keep things simple and straightforward.
Finally, invest in a system that will help you enforce expense policies effectively, and also automate and streamline expense tracking. A cloud-based system is usually cost-effective to implement, and has the flexibility to adapt to changes and growth in your startup. One of the most popular options is Concur.
Policy Management Best Practices
Here are a few other tips to keep in mind while implementing your policies:
- Create a common, central repository of all policies so that employees can easily access them whenever needed.
- Get the help of a lawyer to properly word your policy documents and to make sure that all relevant laws/regulations are covered.
- Don’t just have your policies exist on paper—communicate them to all employees through effective training programs.
- Implement surveys and certifications to make sure that employees have read and understood the policies.
- Don’t let policies become outdated—periodically review and update them.
- Simplify and accelerate policy development by using pre-existing policy templates like this one from Trustmark National Bank, or this employee handbook from Small Business Notes, or these sample employee policies from TotallyLocalHR.com. But make sure to customize these policies to suit your business model, instead of copying them verbatim.
At the end of the day, it’s important to strike a balance between too many and too few policies. Too many policies, especially in a startup, will only create additional administrative complexities. Too few will open your organization to multiple legal and compliance risks. So identify and focus on those policy areas that are important to your organization. More importantly, hire employees who will behave in a way that’s consistent with your company culture, and who will act in your company’s best interests without needing strict compliance monitoring.
This post authored by Shellye Archambeau was originally published by Xconomy. The original article can be accessed here: Three Key Workplace Policies
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – Trending Headlines in July 2019
- Compliance Management
- 02 August 12
3 min read
Introduction
An entire nation gets hacked, Marriott and British Airways come under the radar and suffer huge GDPR fines, and Microsoft claims to have warned over 10,000 users of hacks, in the past year. As data governance becomes imperative, data ethics is increasingly becoming a valuable business driver. – Here are trending media stories in July 2019.
5 million taxpayers in Bulgaria get hacked
A hacker broke into Bulgaria’s largest Tax database and accessed records of 5 million tax-payers in the country.
According to Business Insider, “This hack is the country’s biggest-ever data breach and the government is fining the NRA 20 million Euros.” The hacker looted customers of their personal and financial data that included retirement pension information, addresses, incomes, photographs, names and more.
The hack happened in June this year but remained undetected until a message from a Russian email address was sent to Bulgarian news outlets claiming responsibility for the attack in July.
BIA, Bulgarian Industrial Association, had warned about possible flaws in the tax agency’s data protection system a year ago. Stanislav Popdonchev, Deputy Head, BIA now demands that detailed information about the leak should be sent to every person and company affected.
British Airways and Marriott face GDPR fines equaling £300M
Last year, around the same time when the GDPR came into force, the UK enacted the Data Protection Act 2018 (DPA).
The EU-wide regulation enforced laws around the use of consumer data, and a mandatory upgrade of weaker national data protection laws for the internet. According to the Guardian, “To ensure companies take the new data protection rules seriously, GDPR gave data regulators the power to fine up to €20m, or 4% of annual global turnover, whichever was greater.”
Early this month, British Airways and Marriott suffered huge GDPR fines from the Information Commissioner’s Office (ICO). The ICO imposed a £183.39 million fine on BA and £99 million on Marriott, for ‘infringements of the GDPR’.
ICO officials claim that, in the 2018 incident, BA was involved in diverting user traffic data from the British Airways website to a fraudulent site, where cyber attackers were harvesting personal data of approximately 500,000 customers.
In 2016 when Marriott acquired Starwood, they failed to undertake sufficient due diligence and secure their systems, in spite of the 2014 incident when Starwood’s systems were compromised, said ICO.
Choosing the Ethical Road
Big businesses are mass-mining data around the clock. Bulgaria’s extraordinary attack highlights the fact that with the help of hacking tools available on the dark web, it is possible for amateur hackers to create enormous damage, easily.
Recently, Microsoft said that they have warned nearly 10,000 people, in the past year that hackers have targeted or breached their accounts. The British Airways and Marriott fine incidents are examples of how even large organizations can be held culpable for non-compliance to the GDPR.
With the rise of cyber vulnerabilities, organizations are investing more time and resources in ensuring regulatory compliance. According to Forbes, “The reason why data privacy and protection have become important political issues and generated widespread support for stricter regulations, is because, at heart, companies’ misuse of data is a profound ethical issue.”
Data is an asset that has recently gained attention. Organizations are focusing on strengthening data risk management and security by leveraging the right governance tools to streamline data collection and classification and ensure compliance. Failing to govern data can minimize the value of data assets.
The interlinkage between corporate governance, risk and compliance, is underpinned by data. Investing in a good data governance program can offer substantial benefits like positive brand perception, database error reduction, accurate metrics and informed decision-making capabilities.
An ethical approach to data governance will help organizations better manage regulatory compliance to current and future regulations on data privacy, safeguard shareholder and employee trust, and promote business continuity.
Jump to Topic